Should I run a vulnerability scan on Production or Staging environment?
Last updated: June 8, 2026
Introduction
Choosing the right environment for your vulnerability scan affects both scan quality and risk to your application. This guide helps you make that decision quickly.
Quick Recommendation
Use staging when possible. Use production only when staging isn't available or representative.
Environment Comparison
When to Use Staging
Use staging if you:
Have a staging environment that mirrors production closely
Want to scan frequently (daily/weekly)
Are running your first scan on a new target
Have paid APIs or integrations that could incur costs during testing
Important: Your staging environment should mirror production as closely as possible. Significant configuration differences can cause false positives or missed vulnerabilities.
When to Use Production
Use production if you:
Don't have a staging environment
Need to validate fixes are working in the live environment
Are running a final re-scan after staging validation
If scanning production, inform your team beforehand. The scanner sends controlled requests and is designed to avoid downtime, but temporary slowdowns are possible.
Note: If your application uses paid third-party APIs, let our team know so we can avoid unnecessary calls during the scan.
Recommended Workflow
Run initial scans and fix vulnerabilities in staging
Deploy fixes to production
Request a final re-scan on production to confirm fixes are live
Troubleshooting
Scan caused slowdowns in production Reduce the scan speed in Target Settings → General Settings → Scan Speed.
Test data appeared for real users Stop the scan immediately via the Continuous Scans page and raise a support ticket. For future scans, use staging or a dedicated test account.
Staging results don't match production Ensure your staging environment uses the same configurations, security headers, and authentication setup as production.